Skip to content

Transcript command allows anyone to read private messages

High
eartharoid published GHSA-prrj-xf36-342w Aug 25, 2023

Package

Discord Tickets Bot

Affected versions

4.0.0-4.0.8

Patched versions

4.0.9

Description

Summary

The /transcript command can be used by anyone to get the transcript of other members' tickets.

Details

In the affected versions, the /transcript has no permission/authorisation checks, so if you have the channel ID of a ticket, it will respond with the generated transcript no matter who you are. This is only possible if the archiving feature is enabled in your guild.
It is worse for public bots as (if giving the channel ID manually) the /transcript command works across guilds, meaning that revoking access to the /transcript command does not remove the vulnerability if users can add the bot to their own guilds.

This shouldn't be an issue, but despite being hidden in the Discord client, users can access the name and ID of channels they don't have permission to view. This hidden information can be made visible using client modifications such as Better Discord.

PoC

  1. Create a ticket.
  2. With developer mode enabled, copy the channel ID. This is where client modifications would be used by unauthorised members to show hidden channels.
  3. Close the ticket.
  4. Switch to another account that has no permissions.
  5. Type /transcript ticket: and paste the channel ID.
Original report by @MsEDok

Summary

This let anyone that can use /transcript to get the target transcript

Details

When a user do '/transcript' it suggest a list of the ticket that the user have created but if the user know the channel id it possible to get the transcript

PoC

with public bot

  • invite the public bot to your private server
  • join a server that use the public bot
  • use "better discord" or tool to see hidden channel (the user that told me this use some browser extension)
  • copy the channel ID and back to the private server and do /transcript you will get the transcript of that channel
    with selfhost bot
  • get the channel ID on the selfhost bot discord
  • find an allowed channel that allowed "/transcript"
  • do /transcript
  • get the transcript

Impact

security vulnerability, impact anyone who use the bot (public, selfhost) have not tested with managed bot but assume it the same

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVE ID

No known CVE

Weaknesses

Credits